Malicious code has been found on the Python Package Index (PyPI), the most popular location for sharing Python packages. This was reported by Slovak National Security Office which was then picked up by Bleeping Computer among other places (i.e. Reddit). The attack vector used typosquatting, which is basically someone uploading a package with a misspelled name of a popular package, for example lmxl instead of lxml.
You can see the original report from Slovak National Security Office here: http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
I saw this vector talked about last August in this blog post which a lot of people seemed to think little of. It’s interesting that now people are getting a lot more excited about the issue.
This also reminded me of the controversy over a startup called Kite which basically inserted adware / spyware into plugins, such as Atom, autocomplete-python, etc.
Packaging in Python needs some help. I like how much better it is now then it was 10 years ago, but there are still a lot of issues.